A large number of Chinese smartphones were used as unwilling participants in a huge DDoS attack, briefly overwhelming an unnamed web server, according to Cloudflare. The attack saw over 4.5 billion separate data requests in a single day. The attack used a browser-based HTTP flood, which is something that has been done before at small scales but never with this many hits. The requests came almost universally from China and mostly from mobile devices, with app-specific user agents.

Cloudflare has a blog post detailing the attack for those interested in the technical details, including snippets of the JavaScript used in the attack, but the gist of it is that a large number of mobile devices, and some desktops, opened a site that forwarded them to one of many “attack sites” containing some JavaScript code that launched a flood of XHR requests against the Cloudflare-protected site. This was done using 650,000 unique IPs, which is a very large distributed flood.

After this is where the evidence ends, and Cloudflare must speculate as to how that happened. They believe it was done using ad networks that sell ads via auction to display inside mobile apps. This would explain the very high number of requests coming very quickly, peaking at 275,000 HTTP requests per second, as well as the fact that real browsers were used in the attack with no TCP or code injection, like the one the Chinese Great Cannon uses.

This presents a grave new threat to the internet, Cloudflare claims, as smaller website operators have no real defense against these kind of high-level DDoS attacks.